PEP 376

[Joachim Strömbergson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Aloha!

Carl Banks wrote:
> On Jun 30, 5:55 pm, Lawrence D'Oliveiro <l... at geek-
> central.gen.new_zealand> wrote:
>> In message <mailman.2410.1246390911.8015.python-l... at python.org>, Tarek
>>
>> Ziadé wrote:
>>> I would like to propose this PEP for inclusion into Python 2.7 / 3.2
>>> http://www.python.org/dev/peps/pep-0376/
>> Why are you using MD5?
> 
> I doubt it's the design aim for eggs to be cryptographically secure,
> and MD5 is sufficient to detect changes.

Even so, choosing md5 in 2009 for something that (hopefully) will be
used in years is a bad design decision. It creates a dependency for to
an algorithm that all sensible recommendations point you to move away
from. Just check hashlib documentation for example:

http://docs.python.org/library/hashlib.html

I would suggest to use the SHA-256 in the library. The reason for this
is that md5 and SHA-1 are weak. The computational complexity of SHA-256
is bigger, but since it probably wont be done many thousands of times
during an egg installation, it shouldn't add a noticable delay.

- --
Med vänlig hälsning, Yours

Joachim Strömbergson - Alltid i harmonisk svängning.
========================================================================
Kryptoblog - IT-säkerhet på svenska
http://www.strombergson.com/kryptoblog
========================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkpK1dgACgkQZoPr8HT30QEwRACg0vhO6TO1k0Pesm5qQOJVen/H
vxwAoKdNZZkrDvm/CtQVbr0kZog0sX/U
=Frss
-----END PGP SIGNATURE-----